Do you know how your organisation would

react in a real-world attack scenario?

Find out where your weaknesses lie with a Red Team Assessment
and take action now to improve your security posture.

www.nccgroup.trust
WHAT IS RED TEAMING AND WHY WOULD
YOU NEED TO ENGAGE A RED TEAM?
In today’s hostile threat landscape, how to mitigate risk and prevent an organisation from becoming victim to a cyber attack, fraud or act of
corporate espionage should be on every board agenda.

With the significant increase in the number of reported cyber attacks, organisations of all
sizes now carry out red teaming as part of their cyber security strategy to assess their cyber
resilience and overall security posture and help reduce the risk of becoming a victim.
Our Red Team
Now more than ever, organisations require assurance that the investment they are making
in both cyber & physical security is working and keeping malicious attackers from achieving
assessments
their aim. test the effectiveness
Red teaming exercises are carried out to gauge an organisation’s resilience to sophisticated, of an organisation’s
planned, and sustained attack and assess multiple facets of an organisation’s cyber strategy,
maturity and protection levels. security procedures,
Once commissioned for a project, our elite security team take the role of a malicious intruder awareness and control
and carry out covert hostile reconnaissance (both physical and cyber) followed by a full-blown
covert attack against the target organisation.
in a real-world attack
Assessments of this nature help measure the likelihood that that a threat actor could gain
scenario.
remote access to an organisation’s most sensitive systems and data, bypassing existing
preventative or remedial controls.

All Rights Reserved. © NCC Group 2015 Understanding Red Team Attacks 2
WHAT DO WE DO DURING A RED TEAM EVENT?

The elements assessed in a typical red team engagement include:

• Detection, response and remediation capabilities

• Open source intelligence footprint
• Staff awareness and susceptibility to social engineering
• System & software design and implementation At the end of the
• Technical countermeasures and defence-in-depth level mission we will
• Crisis management processes and procedures provide a C-level
recommendation
Working to pre-agreed rules of engagement the team uses a wide
range of techniques to try to gain access and bypass security
report, detailing
defences, including: the key areas for
remediation.
• Social engineering
• Covert entry
• Intelligence gathering
• Dumpster diving
• Technical surveillance

All Rights Reserved. © NCC Group 2015 Understanding Red Team Attacks 3
WHAT IS AT RISK?
Business
Critical Assets
Engaging in red team activity will
provide you with an understanding
of which of your business critical
assets or systems could be at risk.
Most organisations are dependent
on business critical systems or
assets to run their day-to-day
operations. Imagine a situation
where a criminal attack takes down
your business critical assets and
you begin to lose money by the
second. Even worse if you don’t
have a recovery plan in place to
get things back online quickly and
efficiently.
Being aware of the risks will allow
you to plan ahead and protect
your business critical assets
which will in turn help assure your
revenue, customer experience and
reputation.
All Rights Reserved. © NCC Group 2015 Understanding Red Team Attacks
Intellectual
Property
Organisations of all sizes can
suffer intellectual property theft,
whether they hold plans for the
next generation fighter jet or simply
proprietary ideas and processes
that are considered trade secrets.
Information such as customer data
can be valuable in bulk, especially
if an insider steals it using their
legitimate access to a computer
system and then sells it to an
outsider or competitor.
Some threat actors will have the
goal of infiltrating an organisation
and remaining resident for a long
period, slowly stealing as much
intellectual property as possible.
Often the smallest evidence of
unusual activity can lead to the
discovery that an attacker has been
present for many months or, in the
worst case, years.
Strategic
Business
Information
Many organisations worry about
the loss of strategic business
information; this could include
an embargoed press release or
sensitive pricing information and is
especially relevant at certain points
in the growth of an organisation, for
example when seeking funding or
undertaking an initial public offering
(IPO).
Imagine the consequences if your
organisation is competing for a
contract and a competitor knows
the precise details of your bid, or if
internal documents are disclosed
to the media during a sensitive
regulatory investigation.
This type of strategic business
information is at risk from both
external threat actors and rogue
employees with scores to settle.
Financial
Loss
The financial impact of an incident
is often the cost of remedying the
effects on the business; however,
fraud can also be a primary
motivation for an insider or external
threat actor.
NCC Group has recently dealt
with a number of incidents in
which organised criminal activity
was responsible for the theft of
large sums of money or monetary
instruments from companies, using
similar techniques to those often
seen against home users.
Reputational
Damage
Often one of the biggest difficulties
during a cyber incident can be
how to communicate with staff
or customers when few facts are
available and no solid conclusions
have been reached. However, a
poor response to a cyber incident
can cause additional damage,
especially in an age in which
potentially-incorrect information
is often available on social media
soon after a breach is reported.
Some incidents may cause limited
damage in themselves, but may
harm an organisation’s reputation.
For example, a lost laptop which
is properly encrypted may pose
no real threat, but can still be
an embarrassment. It is worth
remembering that some attackers,
such as “hacktivist” groups who use
attacks to spread their particular
message or gain recognition,
are motivated solely by causing
reputational damage.
4
HOW DOES IT WORK?
Before the project can get underway a series of meetings or conference calls This phase ensures that we are operating within the boundaries set out by
Project are arranged to set out the terms of the engagement. you and that minimal disruption is caused to the day-to-day running of the
organisation.
Initiation

Information is gathered using information about an organisation that is If appropriate, physical reconnaissance may also be undertaken at this point
Planning & available within the public domain. This could include information that would be within the assessment to identify times of heavy footfall through the entrance
useful in performing phishing-style attacks or lists of physical sites owned by the and exits of a targeted building, in order to identify the best windows of time
Intelligence target organisation. in which to attempt physical breach attacks.

Physical access to corporate buildings by tailgating or social engineering, are Stand-off electronic attacks against wireless networks, or intelligence-led
often the first step to gaining a foothold within an organisation. spear-phishing attacks, can also be used when trying to gain entry.
Breach

The command and control phase examines the organisation’s resilience to an It examines how quickly unusual outbound traffic or data exfiltration can be
Command attacker establishing a secure command and control channel. identified by the organisation under assessment.
& Control

The assessment will then typically proceed to a phase in which lateral This phase will generate network activity which may look significantly
Lateral movement through the organisation is used to identify and access business- different to a traditional penetration test.
critical or commercially-sensitive systems.
Movement

All Rights Reserved. © NCC Group 2015 Understanding Red Team Attacks 5
CONCLUSION &
ADDITIONAL RESOURCES

Every organisation would benefit from a red team engagement as it would result in a list
of security-related findings that, when addressed, will improve the security posture of the
organisation.

NCC Group’s first experience of red teaming dates back to 2000, when we worked with
the very early IP-based mobile telecommunication networks and performed live red-team
assessments against 2G, 2.5G, 3G and 4G networks from a subscriber handset perspective
against the network core.

We have developed and refined a strategy and supporting methodologies which, when
adopted, minimise the risks posed to these systems and functions during red team
engagements no matter which vertical the organisation operates in.

ADDITIONAL RESOURCES
Blog - Red Team - Train like you fight

Whitepaper - Cyber red-teaming business-critical systems while managing operational risk

Services - CBEST & CREST STAR

All of our cyber security research and thought leadership is available at:
www.nccgroup.trust/research

All Rights Reserved. © NCC Group 2015 Understanding Red Team Attacks 6
ABOUT NCC GROUP

NCC Group is a global information assurance specialist. As the cyber

arms race and technology revolution continue to outpace the ability of
organisations to cope with the plethora of security, performance and
availability issues, we are best placed to help organisations to manage the
risk and limit the threat.
With our knowledge, experience, capability and global footprint we are
committed to ensuring that organisations have access to a total information
assurance solution that works for them. We assure the protection of your
information against malicious attacks and data loss.
Through expert security and penetration testing, forensic services, incident
response, compliance advice, vulnerability research and logical and physical
audits we will help you to strengthen your position in the cyber arms race.
With the UK’s largest penetration testing team and top-level accreditations
from bodies ranging from the government’s CESG CHECK scheme to the
PCI Security Standards Council, we are a trusted advisor to over 15,000
clients worldwide.
We are passionate about changing the shape of the Internet and making it
safer.

Visit: www.nccgroup.trust
Contact: response@nccgroup.trust

Share

All Rights Reserved. © NCC Group 2015

www.nccgroup.trust
@nccgroupplc
All Rights Reserved. © NCC Group 2015